CVE-2016-3087
published 2016-06-07CVE-2016-3087: Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute…
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
81.09%
99.6th percentile
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| openssl | openssl | >= 0 < 1.0.1f-1ubuntu2.21 | 1.0.1f-1ubuntu2.21 |
| openssl | openssl | >= 0 < 1.0.2g-1ubuntu4.5 | 1.0.2g-1ubuntu4.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP POST requests containing OGNL expressions with '!' (exclamation mark) operator in the URI path targeting REST plugin endpoints, particularly patterns like `#[email protected]@DEFAULT_MEMBER_ACCESS` URL-encoded in the request path. ↗
- →Detect OGNL payloads referencing `@org.apache.struts2.ServletActionContext@getResponse().getWriter()` or `@java.lang.Runtime@getRuntime().exec(` in HTTP request URIs, which are characteristic of S2-033 exploitation. ↗
- →Monitor for HTTP POST requests to REST plugin paths where the URI contains URL-encoded OGNL expressions including `#xx.toString.json` and `#xx:#request.toString` as the exploit appends these as the payload suffix. ↗
- →Detect use of `sun.misc.BASE64Decoder` and `@org.apache.commons.io.IOUtils@toString` within OGNL expressions in HTTP requests, indicating command execution with base64-encoded command parameters. ↗
- →Alert on HTTP 200 responses to REST plugin endpoints where the response body contains arithmetic sum results flanked by random alpha strings — this is the vulnerability check/canary pattern used by exploit tools. ↗
- ·The vulnerability is only exploitable when Dynamic Method Invocation (DMI) is explicitly enabled in the Struts configuration. Installations with DMI disabled are not affected. ↗
- ·Affected versions are 2.3.20–2.3.28, but versions 2.3.20.2 and 2.3.24.2 are explicitly patched and not vulnerable. ↗
- ·The exploit requires the REST Plugin to be present and active in the Struts application; applications not using the REST Plugin are not exploitable via this vector. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache Struts vulnerable to arbitrary remote code execution due to improper input validation
ghsa·2022-05-14
CVE-2016-3087 [CRITICAL] CWE-20 Apache Struts vulnerable to arbitrary remote code execution due to improper input validation
Apache Struts vulnerable to arbitrary remote code execution due to improper input validation
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an `!` (exclamation mark) operator to the REST Plugin.
OSV
Apache Struts vulnerable to arbitrary remote code execution due to improper input validation
osv·2022-05-14
CVE-2016-3087 [CRITICAL] Apache Struts vulnerable to arbitrary remote code execution due to improper input validation
Apache Struts vulnerable to arbitrary remote code execution due to improper input validation
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an `!` (exclamation mark) operator to the REST Plugin.
OSV
openssl regression
osv·2016-09-23·CVSS 9.8
CVE-2016-2182 openssl regression
openssl regression
USN-3087-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2016-2182 was
incomplete and caused a regression when parsing certificates. This update
fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Shi Lei discovered that OpenSSL incorrectly handled the OCSP Status Request
extension. A remote attacker could possibly use this issue to cause memory
consumption, resulting in a denial of service. (CVE-2016-6304)
Guido Vranken discovered that OpenSSL used undefined behaviour when
performing pointer arithmetic. A remote attacker could possibly use this
issue to cause OpenSSL to crash, resulting in a denial of service. This
issue has only been addressed in Ubuntu 16.04 LTS in this update.
(CVE-2016-2177)
César Pereida, Billy Brumley, and Y
Red Hat
struts: Passing malicious expression can cause RCE when Dynamic Method Invocation is enabled and REST plugin is used
vendor_redhat·2016-05-31·CVSS 9.8
CVE-2016-3087 [CRITICAL] CWE-20 struts: Passing malicious expression can cause RCE when Dynamic Method Invocation is enabled and REST plugin is used
struts: Passing malicious expression can cause RCE when Dynamic Method Invocation is enabled and REST plugin is used
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclu
No detection rules found.
Exploit-DB
Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution
exploitdb·2017-06-06
CVE-2016-3087 Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution
Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution
---
#!/usr/bin/python
# -*- coding: utf-8 -*-
import requests
import random
import base64
upperAlpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lowerAlpha = "abcdefghijklmnopqrstuvwxyz"
numerals = "0123456789"
allchars = [chr(_) for _ in xrange(0x00, 0xFF + 0x01)]
def rand_base(length, bad, chars):
'''generate a random string with chars collection'''
cset = (set(chars) - set(list(bad)))
if len(cset) == 0:
return ""
chars = [list(cset)[random.randrange(len(cset))] for i in xrange(length)]
chars = map(str, chars)
return "".join(chars)
def rand_char(bad='', chars=allchars):
'''generate a random char with chars collection'''
return rand_base(1, bad, chars)
def rand_text(length, bad='', chars=allchars):
'''generate
Exploit-DB
Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution (Metasploit)
exploitdb·2016-06-10
CVE-2016-3087 Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution (Metasploit)
Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule 'Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache Struts
version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code
Execution can be performed when using REST Plugin with ! operator when
Dynamic Method Invocation is enabled.
},
'Author' => [
'Nixawk' # original metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-3087' ],
[ 'URL', 'https://www.se
Metasploit
Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution
metasploit
Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution
Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution
This module exploits a remote command execution vulnerability in Apache Struts version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled.
Greynoiseio
NoiseLetter October 2024
blogs_greynoiseio
NoiseLetter October 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
arxiv_fulltext·2019-05-29
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
: Leveraging Temporal Word Embeddings to
Understand the Evolution of Cyberattacks
## Abstract
Despite the fact that cyberattacks are constantly growing in complexity, the research community still lacks effective tools to easily monitor and understand them.
In particular, there is a need for techniques that are able to not only track how prominently certain malicious actions, such as the exploitation of specific vulnerabilities, are exploited in the wild, but also (and more importantly) how these malicious actions factor in as attack steps in more complex cyberattacks.
In this paper we present , a system that uses temporal word embeddings to model how attack steps are exploited in the wild, and track how they evolve.
We test on a dataset of billions of security events collected from the c
Bugzilla
CVE-2016-3087 struts: Passing malicious expression can cause RCE when Dynamic Method Invocation is enabled and REST plugin is used
bugzilla·2016-06-01·CVSS 9.8
CVE-2016-3087 [CRITICAL] CVE-2016-3087 struts: Passing malicious expression can cause RCE when Dynamic Method Invocation is enabled and REST plugin is used
CVE-2016-3087 struts: Passing malicious expression can cause RCE when Dynamic Method Invocation is enabled and REST plugin is used
It was found that it is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled when using the REST Plugin with ! operation.
External Reference:
https://struts.apache.org/docs/s2-033.html
Discussion:
Statement:
A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been
http://struts.apache.org/docs/s2-033.htmlhttp://www-01.ibm.com/support/docview.wss?uid=swg21987854http://www.securityfocus.com/bid/90960http://www.securitytracker.com/id/1036017https://www.exploit-db.com/exploits/39919/http://struts.apache.org/docs/s2-033.htmlhttp://www-01.ibm.com/support/docview.wss?uid=swg21987854http://www.securityfocus.com/bid/90960http://www.securitytracker.com/id/1036017https://www.exploit-db.com/exploits/39919/
2016-06-07
Published